Bug 474682 - SELinux is preventing munin-cron (munin_t) "read" to inotify (inotifyfs_t)
SELinux is preventing munin-cron (munin_t) "read" to inotify (inotifyfs_t)
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
10
i686 Linux
low Severity high
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-04 15:49 EST by David Jones
Modified: 2009-11-18 04:51 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-11-18 04:51:02 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Jones 2008-12-04 15:49:37 EST
Description of problem:
SELinux is preventing munin-cron (munin_t) "read" to inotify (inotifyfs_t)

SELINUX provided Additional Information:

Source Context                system_u:system_r:munin_t:s0-s0:c0.c1023
Target Context                system_u:object_r:inotifyfs_t:s0
Target Objects                inotify [ dir ]
Source                        munin-cron
Source Path                   /bin/bash
Port                          <Unknown>
Host                          compnew.djbron.com
Source RPM Packages           bash-3.2-29.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-26.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     comp1.home.com
Platform                      Linux comp1.home.com 2.6.27.5-117.fc10.i686 #1
                              SMP Tue Nov 18 12:19:59 EST 2008 i686 i686
Alert Count                   71
First Seen                    Wed 03 Dec 2008 07:25:01 PM CET
Last Seen                     Thu 04 Dec 2008 11:00:01 AM CET
Local ID                      beb4c07e-f036-4563-ba52-fc10c970ed7f
Line Numbers                  

Raw Audit Messages            

node=comp1.home.com type=AVC msg=audit(1228384801.437:405): avc:  denied  { read } for  pid=9925 comm="munin-cron" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:munin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir

node=comp1.home.com type=SYSCALL msg=audit(1228384801.437:405): arch=40000003 syscall=11 success=yes exit=0 a0=9e48a08 a1=9e49558 a2=9e48a30 a3=0 items=0 ppid=9923 pid=9925 auid=489 uid=489 gid=481 euid=489 suid=489 fsuid=489 egid=481 sgid=481 fsgid=481 tty=(none) ses=71 comm="munin-cron" exe="/bin/bash" subj=system_u:system_r:munin_t:s0-s0:c0.c1023 key=(null)

Version-Release number of selected component (if applicable):


How reproducible:
Automatically reported every 10 minutes approx

Steps to Reproduce:
1. Boot and Login
2.
3.
  
Actual results:


Expected results:


Additional info:

I have tried as mentioned in setroubleshoot - restorecon -v 'inotify'  - directory does not exist.

changed this to -  restorecon -v /proc/sys/fs/inotify

Note - would be helpful if SELINUX gave the full path to directory or file affected.


Hope the following information is of help

# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda8              20G  5.5G   13G  30% /
/dev/sda10            2.5G   68M  2.3G   3% /tmp
/dev/sda9              20G  265M   18G   2% /home
/dev/sda7             114M   13M   96M  12% /boot
tmpfs                1009M  336K 1008M   1% /dev/shm

# /var/log/munin/munin-update.log
-bash: /var/log/munin/munin-update.log: Permission denied

# ls -lasi /var/log/munin
total 76
555281  4 drwxr-xr-x  2 munin munin  4096 2008-12-04 09:24 .
538561  4 drwxr-xr-x 21 root  root   4096 2008-12-04 09:28 ..
555293  8 -rw-r-----  1 munin adm    5456 2008-12-04 11:10 munin-graph.log
555309  4 -rw-r--r--  1 munin munin  1042 2008-12-03 17:43 munin-graph.log-20081203.gz
555310  4 -rw-r-----  1 munin adm    1266 2008-12-04 09:24 munin-graph.log-20081204.gz
555295  4 -rw-r-----  1 munin adm    4026 2008-12-04 11:10 munin-html.log
555311  4 -rw-r--r--  1 munin munin   865 2008-12-03 17:43 munin-html.log-20081203.gz
555314  4 -rw-r-----  1 munin adm     993 2008-12-04 09:24 munin-html.log-20081204.gz
555294  8 -rw-r-----  1 munin adm    6049 2008-12-04 11:10 munin-limits.log
555312  4 -rw-r--r--  1 munin munin  1106 2008-12-03 17:43 munin-limits.log-20081203.gz
555315  4 -rw-r-----  1 munin adm    1343 2008-12-04 09:24 munin-limits.log-20081204.gz
554971 16 -rw-r-----  1 munin adm   13308 2008-12-04 11:10 munin-update.log
555303  4 -rw-r--r--  1 munin munin  2615 2008-12-03 17:43 munin-update.log-20081203.gz
555300  4 -rw-r-----  1 munin adm    3262 2008-12-04 09:24 munin-update.log-20081204.gz

# find / -name inotify
/usr/lib/python2.5/site-packages/hgext/inotify
/usr/src/kernels/2.6.27.5-117.fc10.i686/include/config/inotify
/proc/sys/fs/inotify

# ls -lasi /proc/sys/fs/inotify
total 0
40416 0 dr-xr-xr-x 0 root root 0 2008-12-04 11:08 .
 6535 0 dr-xr-xr-x 0 root root 0 2008-12-04 08:11 ..
40421 0 -rw-r--r-- 1 root root 0 2008-12-04 11:08 max_queued_events
40419 0 -rw-r--r-- 1 root root 0 2008-12-04 11:08 max_user_instances
40420 0 -rw-r--r-- 1 root root 0 2008-12-04 11:08 max_user_watches

# cat /etc/group  (included to show Group members)
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
munin:x:481:
Comment 1 Daniel Walsh 2008-12-08 15:35:28 EST
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.5.13-33.fc10
Comment 2 Bug Zapper 2009-11-18 04:38:20 EST
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.